Wednesday, 16 April 2008

First it was Phishing, now it's Whaling!!

SAN FRANCISCO — An e-mail scam aimed squarely at the nation’s top executives is raising new alarms about the ease with which people and companies can be deceived by online criminals.

An image of the fake document contained in e-mail messages sent to thousands of executives as part of an online scam.

Thousands of high-ranking executives across the country have been receiving e-mail messages this week that appear to be official subpoenas from the United States District Court in San Diego. Each message includes the executive’s name, company and phone number, and commands the recipient to appear before a grand jury in a civil case.

A link embedded in the message purports to offer a copy of the entire subpoena. But a recipient who tries to view the document unwittingly downloads and installs software that secretly records keystrokes and sends the data to a remote computer over the Internet. This lets the criminals capture passwords and other personal or corporate information.

Another piece of the software allows the computer to be controlled remotely. According to researchers who have analyzed the downloaded file, less than 40 percent of commercial antivirus programs were able to recognize and intercept the attack.

The tactic of aiming at the rich and powerful with an online scam is referred to by computer security experts as whaling. The term is a play on phishing, an approach that usually involves tricking e-mail users — in this case the big fish — into divulging personal information like credit card numbers. Phishing attacks that are directed at a particular person, rather than blasted out to millions, are also known as spear phishing.

The latest campaign has been widespread enough that two California federal courts and the administrative office of the United States Courts posted warnings about the fake messages on their Web sites. Federal officials said they stopped counting after getting hundreds of phone calls from corporations about the messages. At midday on Tuesday, one antispam company, MX Logic, said in a Web posting that its service was still seeing at least 30 of the messages an hour.

Security researchers at several firms indicated they believed there had been at least several thousand victims of the attack whose computers had been compromised.

“We have seen about 2,000 victims, more or less,” said John Bambenek, a security researcher at the University of Illinois at Urbana-Champaign and a volunteer at the Internet Storm Center, a network security organization.

Researchers were studying a list of the Internet addresses of infected computers that iDefense Labs, a research unit of VeriSign, had assembled by monitoring network traffic.

Personalized scam messages have been on the radar of security researchers and law enforcement officials for several years, but the latest variant is a fresh indication of the threat posed by such digital ruses.

“I think that it was well done in terms of something people would feel compelled to respond to,” said Steve Kirsch, the chief executive of Abaca, an antispam company based in San Jose, Calif.

Mr. Kirsch himself received a copy of the message and forwarded it to the company lawyer. “It had my name, phone number, company and correct e-mail address on it and looked pretty legitimate,” Mr. Kirsch said. “Even the U.R.L. to find out more looked legitimate at first glance.”

When the lawyer tried to download a copy of the subpoena and the computer restarted itself, they quickly realized that the file contained malicious software.

Several computer security researchers said that the attack was the work of a group that tried a similar assault in November 2007. In that case, the e-mail message appeared to come from the Justice Department and stated that a complaint had been filed against the recipient’s company.

The software used in the latest attack tries to communicate with a computer in Singapore. That system was still functioning on Tuesday evening, but security researchers said many Internet service providers had blocked access to it.

A number of clues, like misspellings, in the fake subpoena led several researchers to believe that the attackers were not familiar with the United States court system and that the group might be based in a place that used a British variant of English, such as Hong Kong.

“This is probably Chinese-based,” said Mr. Bambenek. “If all the key players are in China there is not much the F.B.I. can do.”

Several security researchers said that the real danger of the attack lay in a second level of deception, after the hidden software provided the attackers with digital credentials like passwords and electronic certificates.

“There are very subtle nuances to their attacks that are well known in the financial industry but are not well publicized,” said Matt Richard, director of the Rapid Response Team at iDefense.

Mr. Richard said the criminals were going after a particular area of the financial industry, but he would not elaborate. He said that law enforcement officials were investigating the fraudulent documents.

Calls to the Federal Bureau of Investigation for comment were not returned.

Although the software package used to deliver the eavesdropping program is well known, it was hidden in such a way that it avoided detection by commercial programs in many cases, researchers said.

“This is pretty well-known code,” said Don Jackson, a researcher at SecureWorks, a computer security firm. “The issue has to do with repacking it.”

Recipients of the e-mail messages are directed to a fraudulent Web site with a copy of the graphics from the real federal court site. They are then asked to download and install what is said to be a piece of software from Adobe that is used to view electronic documents.

“There are several layers of social engineering involved here,” said Mike Haro, a spokesman for Sophos, a company that sells software to protect against malicious software and spam.